Security Operations

Rules vs. Reasoning in the Security Ops Center

Alexa Rzasa
by Alexa Rzasa
category Security Operations

For the last 15 years, Security Ops Centers have been using rules (aka Boolean logic) to describe situations that look like an attack from the logs collected into their SIEM solutions. As an industry-wide standard practice, the intent is to reduce the volume of events to a reasonable level so that a human can effectively analyze them. Interestingly enough, the average SOC looks at less than 0.0001% of total security events! And further, events evaluated are typically very specific patterns of well-known attacks, such as 5 failed logins. These “correlated events” are then presented to a human for analysis and decision, at a rate of between 75 and 150 events per hour.

While monitoring these correlated events, the security analyst uses their expertise and experience to evaluate each suspected situation to determine if any of the events are likely to be malicious incidents that require immediate action to investigate and remediate. Analysts are taught to reason to the “most likely” explanation, and understandably, their knowledge increases with experience. With the advent of AI-based expert systems, like “The Respond Analyst,” and the ability to mathematically reason to the most likely explanation from observable facts, rules are becoming obsolete.

The reasoning

Human security analysts reason in a truly probabilistic manner.  For example, when confronting an alert that a database server is under attack while knowing there is an open change ticket for a database upgrade in the works, the likelihood it is a malicious attack drops significantly. However, the human analyst performs this single analytical check and then immediately ignores all activity related to this important server. On the other hand, the consistency of mathematics ensures that the expert system’s decision includes all relevant and observable facts, every time.

Consider another example related to repeated failed logins on service machines. The vast majority of the time, this is the result of an expired service account which was not renewed in time. The human analyst’s experience and familiarity with this fact would prompt them to open a ticket to the server administrator rather than digging in deeper. Our biases consistently offer a rapid explanation of events we have previously observed. Unfortunately, the modern attacker is well trained to take advantage of these analytical shortcuts and human biases.

Enter the autonomous analyst

Now consider an autonomous analyst—one that operates at machine speed and places all relevant logs and contextual information within the bounds of a complete analysis. Imagine being able to look at every log or alert and reason about it using more than 50 dimensions. The successful identification of attackers in your environment increases dramatically. With revolutionary technologies advancing security operations, like AI-based expert systems, an autonomous analyst is no longer a concept, but a reality.

In fact, the Respond Analyst is a new kind of analyst that automates and autonomously performs the monitoring, analysis, case building and escalation tasks of a skilled level-1 security operations analyst. The Respond Analyst looks at every alert on an enterprise scale, never tires, is relentlessly consistent, blindingly fast, and won’t resign and take your tribal knowledge away. The end of console monitoring is here.